On 20/04/2022 13:58, Alexander Bokovoy wrote:
On ke, 20 huhti 2022, lejeczek via FreeIPA-users wrote:
> Hi guys.
>
> @devel perhaps could comment if it's Java among package
> updates which breaks PKI ?
>
> ...
> ipa-pki-wait-running: Connection failed:
> HTTPConnectionPool(host='whale.mine.private', port=8080):
> Max retries exceeded with url: /ca/admin/ca/getStatus
> (Caused by
> NewConnectionError('<urllib3.connection.HTTPConnection
> object at 0x7f9c31d7ba60>: Failed to establish a new
> connection: [Errno 111] Connection refused'))
> WARNING: Some of the specified [protocols] are not
> supported by the SSL engine and have been skipped:
> [[TLSv1, TLSv1.1]]
> SEVERE: Error deploying deployment descriptor
> [/etc/pki/pki-tomcat/Catalina/localhost/ca.xml]
> java.lang.IllegalStateException: Error starting child
> at
> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:720)
>
> at
> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:720)
>
> at
> org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:129)
>
> at
>
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:150)
>
> at
>
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:140)
>
> at
> java.base/java.security.AccessController.doPrivileged(Native
> Method)
> at
> org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:688)
>
>
> at
> org.apache.catalina.core.StandardHost.addChild(StandardHost.java:706)
>
>
> ...
> ...
> at
> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:717)
>
> ... 41 more
> Caused by: java.lang.UnsupportedClassVersionError:
> netscape/ldap/LDAPException has been compiled by a more
> recent version of the Java Runtime (class file version
> 61.0), this version of the Java Runtime only recognizes
> class file versions up to 55.0
> at
> java.base/java.lang.ClassLoader.defineClass1(Native Method)
> at
> java.base/java.lang.ClassLoader.defineClass(ClassLoader.java:1017)
>
>
> ...
> SEVERE: One or more listeners failed to start. Full
> details will be found in the appropriate container log file
> SEVERE: Context [/acme] startup failed due to previous
> errors
> WARNING: An illegal reflective access operation has occurred
> WARNING: Illegal reflective access by
> org.apache.catalina.loader.WebappClassLoaderBase
> (file:/usr/share/java/tomcat/catalina.jar) to field
> java.io.ObjectStreamClass$Caches.localDescs
> WARNING: Please consider reporting this to the
> maintainers of
> org.apache.catalina.loader.WebappClassLoaderBase
> WARNING: Use --illegal-access=warn to enable warnings of
> further illegal reflective access operations
> ...
>
> java-11-openjdk-devel-11.0.15.0.1-0.1.ea.el9.x86_64
> ipa-server-4.9.8-6.el9.x86_64
>
> or this is some issue irrespective of java?
It looks like some inconsistency between PKI and Java
packages.
I also noticed you have a previous CentOS 9 Stream compose
as ipa-server
4.9.8-8.el9 is now available. Perhaps, many packages were
upgraded in it
as well and you might get a better chance?
sorry, wrong c&p from me, that 4.9.8-8.el9 went in along
with other updates, that was when PKI broke.
Anyway, I asked PKI developers to check what's up with
these different
bytecode versions.